Re: veb and vport on apu2 -- config feedback

Fri, 23 Jun 2023 18:18:42 -0700 

looks good to me after a quick read.

> On 23 Jun 2023, at 12:15, Amarendra Godbole <amarendra.godb...@gmail.com> 
> wrote:
> 
> I am planning to experiment with veb on my PC Engines apu2e4 board. It
> has three ports (em0, 1 and 2). Current configuration has em0 hooked
> up to cable modem, while em1 and em2 are internal LAN. I don't have a
> good ability to troubleshoot via a serial console, since the apu board
> sits in the garage on top of a cabinet -- running serial cable to a
> laptop is challenging, though not impossible. So I am looking for
> feedback so as to keep this troubleshooting time minimal.
> 
> Any feedback is welcome. Configs below. Thanks in avance.
> 
> -Amarendra
> 
> $ cat hostname.em1
> mtu 9000
> up
> 
> $ cat hostname.em2
> mtu 9000
> up
> 
> $ cat hostname.veb0
> add em1
> add em2
> add vport0
> link0
> up
> 
> $ cat hostname.vport0
> inet 192.168.1.1 255.255.255.0 192.168.1.255
> mtu 9000
> group internal
> up
> 
> $ cat pf.conf
> ruckus= "192.168.1.10"
> 
> table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
>                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
>                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
>                   203.0.113.0/24 }
> 
> set block-policy drop
> set loginterface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> 
> # spoof protection
> antispoof quick for egress
> block in from no-route
> block in quick from urpf-failed
> 
> # block martians!
> block in quick on egress from <martians> to any
> block return out quick on egress from any to <martians>
> 
> # default deny
> block all
> 
> # allow icmp
> match in on egress inet proto icmp icmp-type { echoreq } tag ICMP_IN
> block drop in on egress proto icmp
> pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
> pass in on egress inet proto icmp icmp-type { 3 code 4, 11 code 0}
> 
> pass out quick on egress inet from internal nat-to (egress)
> pass out quick inet
> pass in on internal inet
> 
> # block dns queries that are not destined for our dns server.
> block return in quick on internal proto { udp tcp } to ! internal port
> { 53 853 }
> 
> # block Ruckus AP from "phoning home"
> block in quick on internal from $ruckus
>

Reply via email to